The complaints allege that online advertising systems that funnel to ad buyers behavioral and technical data about those who visit a website violate the General Data Protection Regulation, which went into full force on May 25.

Brave contends that the data is passed to hundreds of companies looking to place ads, and there are no safeguards to ensure that the personal data is not misused or lost. The company claims this violates Article 5 of GDPR.

Together with Jim Killock of the U.K.-based Open Rights Group as well as Michael Veale, a data protection and policy researcher at University College London, Brave is asking authorities in the U.K. and Ireland to investigate Google as well as the broader targeted advertising sector.

"The problem is inherent in the design of the industry," according to the complaint submitted to the U.K.'s ICO.

Brave's Self Interest

GDPR has already reshaped the data collection and processing procedures of companies around the world. Microsoft and Facebook, for example, have said they will apply its principles worldwide in anticipation of other jurisdictions adopting similar rules (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).

Regulatory experts have predicted the emergence of GDPR complaints will trigger confrontations with technology giants such as Google, Facebook and others. The companies have built staggering fortunes by attracting users with free products and building targeted advertising systems underpinned by personal data (see GDPR Effect: Data Protection Complaints Spike).

Brave's complaint comes with a strong serving of self-interest. The company is trying to upend advertising on the web by de-emphasizing the role that personal data plays in targeted advertising. The browser company was founded by former Mozilla co-founder Brendan Eich, who also created the JavaScript programming language.

The Brave browser blocks virtually all web "trackers" and beacons that transmit data used for targeted advertising. Instead, Brave is experimenting with a privacy-focused model that rewards users for interacting with ads.

That reward is paid in the Basic Attention Token, a type of digital currency created by Brave. It is also experimenting with rewarding publishers with BATs based on how long someone spends on a website, a model that doesn't rely on using personal data.

Brave's plan to is reward users and publishers with virtual currency and remove the use of personal data from targeted advertising.

Bidding For Ad Slots

Brave's GDPR complaint takes aim at "programmatic" advertising, a type of advertising system that emerged about eight years ago. It relies on a type of auctioning system that's often referred to as real-time bidding.

There are two major technology platforms for ad auctioning: OpenRTB, created by the Internet Advertising Bureau, and Google's Authorized Buyers, which formerly was known as DoubleClick Ad Exchange, according to a position paper from Johnny Ryan, Brave's chief policy and industry relations officer. Ryan's paper was submitted to regulators along with the complaints.

Many websites sign up with ad exchanges, or brokers such as Google, to fill their ad inventory. When someone visits a website, the ad exchange puts the available ad inventory up for an auction.

Before the auction takes place, the ad exchange sends data that it knows about the person and device used to view the website. The data can include what the person has viewed before, their location or IP address, tracking IDs that have been set on the computer using cookies and a variety of device-specific data. Ryan's paper says OpenRTB's specification also can include such data as a person's year of birth and gender.

As part of the auction, the data is transmitted to potentially hundreds of other companies in order for them to determine whether they want to bid on the ad space. The online advertising industry has usually maintained that the data it collects during an individual's web browsing has been sufficiently anonymized in ways that it couldn't be linked to an actual person.

But Brave contends the data is much more than what is needed to serve relevant advertising. The data that goes to third parties also goes "well beyond the purposes which a data subject can understand, or consent or object to."

GDPR mandates that European consumers must know what data is collected prior to it being collected and how the data is used, and it also grants the right to request that data be deleted.

The Sharing Problem

Brave's complaints also contend once that data has been transmitted to those other parties, there are no controls to ensure that the data is protected and isn't misused.

Ryan's paper acknowledges that IAB Europe has recommended that to comply with GDPR, companies should only share personal data with other companies if there's a legal basis for processing it. But Ryan contends there's no way to protect the data once it's transferred.

"There are no technical measures in place to adequately protect the data," he writes. "In other words, once DSPs [demand-side partners, or ad buyers] receive personal data, they can freely trade these personal data with business partners, however they wish."

Before it changed its policies in 2014, Facebook allowed app developers using its platform to collect a variety of potentially sensitive personal information about its users. A Cambridge University professor, Aleksandr Kogan, did this when he deployed a personality quiz on the site in 2014.

Against Facebook's rules, Kogan later passed the data onto Cambridge Analytica, which at one time worked on developing digital campaigns for U.S. President Donald Trump. After the controversy erupted, Facebook pledged to see if other app developers had violated its rules and improperly shared data. In August, it said it had so far suspended 400 apps and was still investigating thousands more.

The picture that has emerged is that while Facebook contractually prohibited the sharing of personal data, it had no way of enforcing the rules or knowing if app developers had violated them.

Whether Brave's complaint will gain currency with regulators remains to be seen. But it could potentially set up one of the largest-ever battles, and one that online advertising companies are likely to fiercely contest.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;